Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: ChristianLB
ChristianLB Author
User level: Level 1
0 points

I believe I am being spied on through a keylogger

I am 99.9% sure my ex is tracking everything I am doing through some kind of software - either keylogger or some kind of desktop watching software - and this is getting incredibly obvious and creepy. I got to the apple forums through this old thread (https://discussions.apple.com/thread/4243511?start=0&tstart=0) and have followed the instructions of the first replier (Linc Davis). Any help deciphering my results would be greatly appreciated.


Step 1:

Christians-iMac:~ imac$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'


Step 2:

Christians-iMac:~ imac$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'


WARNING: Improper use of the sudo command could lead to data loss

or the deletion of important system files. Please double-check your

typing when using sudo. Type "man sudo" for more information.


To proceed, enter your password, or type Ctrl-C to abort.


Password:

  1. com.microsoft.office.licensing.helper
  2. com.google.keystone.daemon
  3. com.anchorfree.ajaxserver
  4. com.adobe.fpsaud


Step 3:

Christians-iMac:~ imac$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

org.mozilla.firefox.49312

  1. com.google.Chrome.26256
  2. com.google.GoogleDrive.11120
  3. org.glimmerblocker.updater
  4. com.google.keystone.system.agent
  5. com.divx.update.agent
  6. com.divx.dms.agent
  7. com.valvesoftware.steamclean
  8. com.spotify.webhelper


Step 4:

Christians-iMac:~ imac$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:


/Library/Extensions:

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

  1. ArcMSR.kext
  2. CalDigitHDProDrv.kext
  3. HighPointIOP.kext
  4. HighPointRR.kext
  5. PromiseSTEX.kext
  6. SoftRAID.kext


/Library/Frameworks:

  1. AEProfiling.framework
  2. AERegistration.framework
  3. AudioMixEngine.framework

DivX Toolkit.framework

  1. DivXInstallerUtilities.framework
  2. NyxAudioAnalysis.framework
  3. PluginManager.framework
  4. TIAppKit.framework
  5. TIConnectManagerXInteraction.framework
  6. TIDataConversionBase.framework
  7. TIPluginLocator.framework
  8. iTunesLibrary.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

Default Browser.plugin

DirectorShockwave.plugin

DivX Web Player.plugin

Flash Player.plugin

JavaAppletPlugin.plugin

OVSHelper.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

  1. SharePointBrowserPlugin.plugin
  2. SharePointWebKitPlugin.webplugin
  3. Silverlight.plugin
  4. flashplayer.xpt
  5. googletalkbrowserplugin.plugin

npgtpo3dautoplugin.plugin

nsIQTScriptablePlugin.xpt

o1dbrowserplugin.plugin


/Library/Keyboard Layouts:


/Library/LaunchAgents:

  1. com.divx.dms.agent.plist
  2. com.divx.update.agent.plist
  3. com.google.keystone.agent.plist

org.glimmerblocker.updater.plist


/Library/LaunchDaemons:

  1. com.adobe.fpsaud.plist
  2. com.anchorfree.ajaxserver.plist
  3. com.google.keystone.daemon.plist
  4. com.microsoft.office.licensing.helper.plist

org.eyebeam.SelfControl.plist


/Library/PreferencePanes:

Flash Player.prefPane

GlimmerBlocker.prefPane

Pref360Control.prefPane


/Library/PrivilegedHelperTools:

Google Drive Icon Helper

  1. com.microsoft.office.licensing.helper
  2. org.eyebeam.SelfControl

scheckup


/Library/QuickLook:

  1. iBooksAuthor.qlgenerator
  2. iWork.qlgenerator


/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

DivX Decoder.component

DivX Encoder.component


/Library/ScriptingAdditions:


/Library/Services:

TI Connect Manager X.app


/Library/Spotlight:

Microsoft Office.mdimporter

  1. iBooksAuthor.mdimporter
  2. iWork.mdimporter


/Library/StartupItems:

360ControlDaemon

ChmodBPF


/etc/mach_init.d:


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:


Library/Fonts:


Library/Input Methods:

.localized


Library/Internet Plug-Ins:


Library/Keyboard Layouts:


Library/LaunchAgents:

  1. com.spotify.webhelper.plist
  2. com.valvesoftware.steamclean.plist


Library/PreferencePanes:


Library/Services:

.localized


Step 5:

Christians-iMac:~ imac$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

i


Thanks in advance.

iMac, iOS 7.0.4

Posted on Jan 22, 2014 7:14 AM

Reply
10 replies
User profile for user: andyBall_uk
andyBall_uk
User level: Level 7
20,516 points

Jan 23, 2014 10:54 AM in response to ChristianLB

If someone really wanted to hide a keylogger, they'd surely alter the name so that it wasn't the same as known keylogging software.

If you are 99.9% sure, the only thing to do is erase the drive & reinstall, very selectively importing things afterwards.

Having said that, if you're so certain - you should involve law enforcement before removing the evidence.

Reply
User profile for user: andyBall_uk
andyBall_uk
User level: Level 7
20,516 points

Jan 24, 2014 4:02 AM in response to ChristianLB

The police or a lawyer are best placed to say whether or not that's iilegal.


Buy an external drive, clone or physically swap the existing one for later inspection, then proceed as above, setting up a fresh network connection & resetting any router/modem that's used & utilising new passwords at a suitably high security setting. Check that it's not a model which can be readily compromised.


Verify what DNS servers are set, since some services (like opendns) may allow parental monitoring (I'm not sure, but they do allow filtering/blocking).

Reply
User profile for user: andyBall_uk
andyBall_uk
User level: Level 7
20,516 points

Jan 24, 2014 11:02 AM in response to ChristianLB

You're welcome.

There's none that I know in that list, although altering names is fairly trivial, so if you've a strong suspicion, or simply value your peace of mind, I'd start afresh in any case, just as you would if buying a used computer (changing any passwords & checking details in case they are already known).


I don't know if Hotspot Shield can keep a record of sites visited (that's the com.anchorfree.ajaxserver.plist)


Check DNS in both router/modem and System Preferences - Network . Us your isp's suggested servers unless you have good reason not to.

Reply

I believe I am being spied on through a keylogger

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up